Health Care Matters

A Complimentary Newsletter From:

Law Offices Of David S. Barmak, LLC

Managing Risk for Long Term Care and Health Care Providers

Volume 10, Issue 6                               ADVERTISEMENT                    SEPTEMBER 2009

In This Issue
Health Information Technology for Economic and Clinical Health Act (HITECH)
Conducting Proper Workplace Investigations
In the Spotlight
David S. Barmak, Esq. 
David Photo
Licensed to practice law in the States of New Jersey, New York, Connecticut and Pennsylvania 
 
Health Information Technology for Economic and Clinical Health Act (HITECH)
On April 17, 2009, the Department of Health and Human Services (HHS) released guidance to health care providers and their business associates (who are now considered covered entities similar to health care providers) about the technologies and methodologies for rending protected health information (PHI) secure. The HHS guidance determines when new data breach notification rules, as required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) require the health care provider and business associate to provide notification of the breach of security of "unsecured protected health information."
 
A breach of unsecured PHI occurs when there is an "unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of that information, except where the unauthorized person to whom the information was disclosed would not reasonably have been able to retain such information." Exceptions to the "breach" definition include where the "breach" was unintentional and made by an employee or individual authorized by the covered entity or business associate to have access to PHI and made in good faith and within the scope of employment; and where the "breach" was inadvertently disclosed by an individual who is authorized to access PHI at a facility operated by a covered entity to another similarly situated individual at the same facility.
 
If a breach of unsecured PHI does occur, the covered entity must notify each individual whose PHI has been or was reasonably believed to have been accessed, acquired or disclosed within 60 days after discover of the breach.  Covered entities are not required to give this notification if they follow HHS guidance standards for technologies and methodologies acceptable to render PHI unusable, unreadable or indecipherable to unauthorized persons (e.g.; encryption and destruction to secure electronic PHI from unauthorized access and use).
 
On April 20, 2009, the Federal Trade Commission (FTC) published a proposed rule, as required under the HITECH Act, regarding data breach regulations for HIPAA business associates and other entities dealing with personal health records (PHR). The proposed rule would require vendors of PHR and related entities to provide notice to consumers and the FTC when the security of their electronic health information is breached. The proposed rule outlines requirements governing the standard for what triggers the notice as well as the timing, method and content of the notice.

Recommended next steps: review and revise HIPAA Privacy and Data Security Policies and Procedures, including but not limited to revising business associate agreements.
Conducting Proper Workplace Investigations
Administrators and Compliance Officers are often faced with determining what actually occurred when one or more employees engage in possible workplace misconduct. It is essential for you to be able to properly conduct workplace investigations without adding liability exposure to the organization while doing so. Your investigation must be thorough and unbiased.
 
Many different problems can lead to an investigation:  substance abuse, discrimination complaints, harassment complaints, threats by one employee against another employee, etc. The goal of any investigation is to understand the underlying reasons for the problem so that you can take corrective action. However, you must also be knowledgeable about state and federal employment laws, be thorough and objective and protect the privacy rights of employees. No one said being the Administrator or Compliance Officer was going to be easy!
 
To begin, must you do an investigation when you receive an employee's complaint? YES!  There are numerous federal laws that actually mandate investigations upon receiving a complaint. For example, job discrimination laws, health and safety laws, background and credit check laws as well as drug-free workplace laws.
It is beyond the scope of this article to give all of the details that you must be aware of when conducting an investigation; however, please be mindful of the following issues that potentially increase liability for the organization:
  • Personnel Files - maintain appropriate confidentiality as you and others who have a job related need to know access the files.
  • Searches at Work - respect reasonable expectations of privacy that employees have at work.
  • Drug testing - ensure that all of the appropriate releases and procedures are in place prior to drug testing current employees.
  • Defamation - remember, defamation is the communication of false information about a third person to a third party, either intentionally or with reckless disregard for its falsity.
  • Retaliation - employees who file claims in good faith are protected under numerous laws from retaliation for having filed such claims.

There are certain steps that are common to any investigation. These include recognizing when an investigation is required; determining what the goals of the investigation are; identifying the appropriate investigators; identifying potential witnesses and documents for review; developing a written list of questions to use during the interviews; determine proper security for the records that will be reviewed and generated during the investigation; and consult your compliance attorney to ensure that the procedures being followed minimize liability exposure for the organization and maximize the use of attorney - client privilege as needed.

In the Spotlight
Porsche, a CNA at New Vista Nursing & Rehabilitation Center, Newark, NJ, shared with me that in her home country, Nigeria, there are no skilled nursing homes - only acute care hospitals and maternity hospitals. While she was growing up, her grandmother lived with her family. She saw how lovingly and caringly her mother cared for her grandmother when her grandmother became ill. Porsche said that throughout Nigeria, when the elderly or young are ill and come home from any type of hospital they are taken care of by their family. When family members become old it is expected that the children will take care of them. Porsche grew up watching her mother take care of her grandmother. Her grandmother died at the age of 89. Porsche helped her mother bathe her grandmother and saw how wonderful her grandmother felt when Porsche would wash her grandmother's face and hair. Providing this care to her grandmother made Porsche feel very good about herself. Porsche's mother also had a preschool in Nigeria and when Porsche was old enough she became a teacher there. At the end of the school day the teachers, including Porsche, would wash all of the preschoolers and dress the children after changing the children's diapers. She also felt so good about herself when she did take care of the children. Porsche loves being a CNA because it makes her feel good to help the elderly in the nursing home with chores and tasks which they, the residents, can no longer do themselves. She keeps in mind that these elderly patients once led interesting lives and were able to fully care for themselves when they were young. She reminds herself that the residents once were able to walk and travel to their jobs. Now, because of age and illness, the residents are not able to do any of those activities and are now completely dependent upon the CNAs. Porsche finds residents are so appreciative of the little things the CNAs do for them because they can't do it for themselves. When Porsche looks back at her childhood and her own youth, she sees that all of her experiences led her to appreciate and value helping people, particularly the elderly, and directed her to becoming a CNA. She gets great satisfaction from the reactions of the residents she helps.
You just can't make up stories like this!
 
A CNA answered on a job application:  Previous employment "self employed in pharmaceuticals." The criminal background check sort of confirmed the entry on the job application - the CNA had been recently convicted of drug abuse and drug possession.

     
Law Offices Of David S. Barmak, LLC
David Barmak established his health care law firm in 1984 to deliver legal services, both in transactions and litigation, to organizations and professional practitioners in the health care field.  We call this approach "Enterprise-Wide Risk Management" because it includes three important facets:
  1. Counsel and advisement on all aspects of legal risk, from setting up the entity to corporate governance and compliance;
  2. Protection of your practice or business through litigation prosecution or defense in the Courts; as well as regulatory compliance and licensure issues before government agencies; and
  3. Operations improvement through the implementation of enterprise-wise onsite audits, programs and training seminars in the areas of, but not limited to, Fraud and Abuse, HIPAA Privacy and Data Security, Employment, A/R Management, Emergency Preparedness, and Workplace Violence.

David S. Barmak, Esq. received his JD from Cornell University and BA from Duke University.  He is licensed to practice and serves clients in the States of New Jersey, New York, Connecticut and Pennsylvania.  Before making your choice of attorney, you should give this matter careful thought.  The selection of an attorney is an important decision.  The recipient may, if the newsletter is inaccurate or misleading, report the same to the Committee on Attorney Advertising. 

For more information, please contact us:
Telephone (609) 688-0055
Fax (609) 688-1199
Disclaimer:  The contents of this newsletter are presented as general information.  Legal advice and opinion can only be provided upon individual consultation.
        © 2009.  All Rights Reserved.